Apple's iCloud service lets users sync a staggering amount of data between Macs, Windows PCs, iPhones, and iPads. Though Apple says it stores this data securely in an encrypted format, just how safe is it? An Ars reader wrote in to ask us this question, so we decided to investigate.

The simple answer is that your data is at least as safe as it is when stored on any remote server, if not more so. All data is transferred to computers and mobile devices using secure sockets layer via WebDAV, IMAP, or HTTP. All data except e-mail and notes—more on that later—are stored and encrypted on disk on Apple's servers. And secure authentication tokens are created on mobile devices to retrieve information without constantly transmitting a password.

The data stored on Apple's iCloud servers includes photos in your Photo Stream, any documents stored in iCloud, backups for iOS devices, @me.com e-mail, contacts, calendars, Safari bookmarks, reminders, and notes. According to Apple, all data is stored encrypted on disk except e-mail and notes. The exception for e-mail may be due to performance reasons, including supporting features like searching messages on the server or partially downloading messages and attachments.

As far as we can determine, no common IMAP providers encrypt messages on disk for consumer e-mail services. (Commercial services do exist to securely transport e-mail and encrypt it on disk for HIPAA compliance, however.) Instead, most providers offer support for S/MIME encrypted messages, which requires encrypting messages sent by your e-mail client and relying on the receiver's client to decrypt using a key you provide. Doing so is the only way to ensure end-to-end encryption of message contents.

Notes are also not encrypted on iCloud servers. The reason is that iCloud currently syncs notes using IMAP, and a result of this method is that your notes are synced on Mac OS X via Mail. However, OS X 10.8 (Mountain Lion) will include a proper Notes app when it's launched this summer, so it's possible that future Notes will use iCloud's document store APIs, and these notes will be encrypted on disk like the rest of iCloud data.

For now, though, it's technically possible for an unscrupulous Apple data center employee to rifle through your e-mail or notes. The likelihood is remote, and Apple promises in its privacy policy that it "takes precautions—including administrative, technical, and physical measures—to safeguard your personal information against loss, theft, and misuse, as well as against unauthorized access, disclosure, alteration, and destruction." Those who routinely send and receive messages of importance to national security—or just the more paranoid among us—may want to consider a more secure alternative for e-mail and notes.

What about what Apple doesn't tell us?

Apple would not disclose to us the methods used to encrypt data on disk, and merely claimed to use industry standard practices to ensure user data is stored securely. Still, we can make a few educated guesses about the level of security used. To start, several sources we consulted believe that Apple is using Microsoft Azure to power its iCloud data store. Using a WebDAV client, we were able to access some of our iCloud data by guessing the server name and path; once authenticated, that data was human readable. Since we know that Apple encrypts this kind of data, the company is likely using some type of file-system encryption that is decrypted on the fly when requested from an authenticated device or computer.

Mac OS X appears to use the PBKDF2 (Password-Based Key Derivation Function) standard recommended by the National Institute of Standards and Technology (NIST) to generate encryption keys for things like FileVault and Keychain. Outside of a direct explanation of the exact algorithms and key lengths from Apple, it seems reasonable to presume Apple is using this same "industry standard practice" to generate the secure tokens used to access iCloud from authenticated devices.

Essentially, NIST considers PBKDF2 "good enough for government work" so that federal agencies can secure data as required by Federal Information Security Management Act (FISMA) of 2002. Assuming Apple is generating keys that are more than 64 bits in length, the chances of someone brute-forcing the key and decrypting the data within a lifetime are slim to none.

Your iCloud data also isn't generally shared with third parties, but some personal information, such as name and address, may be shared with, for instance, a credit card processing service. As far as your Safari bookmarks or iPhone photos, however, that information is only given out when required by law, such as when it's required by court order. "We may also disclose information about you if we determine that, for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate," Apple wrote in its privacy policy.

As best as we can determine, if your Apple ID isn't a widely known e-mail address with an easy-to-guess password (Apple now requires a combination of uppercase and lowercase letters and numbers, at a minimum), your iCloud data is effectively "safe" from hackers or prying third parties. E-mail and notes are not as secure as other data, though it doesn't appear to be any less secure than other common IMAP e-mail providers. If you require HIPAA-level security compliance, you'll need a different solution for e-mail—but then again, you likely wouldn't be using a personal e-mail address for such purposes in the first place. And you could use standard S/MIME encryption such as PGP to secure e-mail messages from sender to receiver.

About the law enforcement: Has Apple any guidelines to which and how law enforcements are allowed to access data? This is especially interesting for international customers. Will they provide access to the customers local law enforcements, or to ask the other way around, will they provide US access to non-US customers data?

Not taking any issue with the content of the article but rather wanting to point out that it's important to raise a larger issue: Even if a cloud service is well designed to be secure it's inherently more likely to lead to a compromise of your privacy than data you keep only on local storage. Remember, even if your local storage is not secure, it's now ALSO on a Cloud server. It's *always* a net-increase to risk.

I think users would do well to think a lot more carefully about what they put where and that we, the 'geek community' should advocate for tools that empower users to control what goes where and what form.

- A cloud service is a honeypot. Black hats interested in getting as much information as possible have a higher value *single* target by attacking a cloud service and being able to get access to thousands or millions of accounts than they would attacking you or hoping to snare you with a Trojan. A Trojan MOST people won't have the means to thwart so they don't need to make it artful enough to circumvent, for example, Little Snitch or Hands Off! that 8some* users will wisely choose to install.

- A cloud service is more exposed to government or corporate fishing expeditions.

- If your soon to be ex-spouse or business partner wants to see your files on your machine, they need to subpoena *you*. You'll see them coming. If they subpoena Apple (or DropBox or any other cloud provider), you may not until you're in discovery.

My point in this is that, among other risks, the enormous convenience of Cloud sync and sharing services comes with comparably large risks. It's extremely valuable to have Chris and Ars writing articles like this that discuss how a cloud service does, or does not, secure your data but I think it's equally important to try and educate users about the things they trade for convenience.

Also remember, your company policy, and this is something Chris alludes to at the end of the article, may not consider Apple (or DropBox or Mozy or... or...) a trusted provider. Your company may also have legal obligations to their partners or customers not to allow data onto these services.

Sure would be nice to have 'iCloud sync' be a service available for LOCALLY hosted Mountain Lion Server... for example.

Sure would be nice to have 'iCloud sync' be a service available for LOCALLY hosted Mountain Lion Server... for example.

How much extra exposure would that leave their own iCloud servers with?

Besides having something to practice attacking and analyzing to probe for weaknesses, wouldn't there be key pairs that they are going to have to provide the ability to replace on the client side and server side to ensure that the server software isn’t pulled apart for the server side key that is being used with the general public? I have a hunch that would be the case.

Also remember, your company policy, and this is something Chris alludes to at the end of the article, may not consider Apple (or DropBox or Mozy or... or...) a trusted provider. Your company may also have legal obligations to their partners or customers not to allow data onto these services.

Well Mozy and Google Apps are both SAS 70 compliant providers and that is great... I do not see ANY certifications with iCloud.

Though SAS 70 does not make the environment "more" secure, it really does atleast give some peace of mind...

Letting Apple encrypt your data or any other cloud service is just not smart because they can and will have to unencrypt it for any law enforcement reason. Plus you never know who at Apple or their hosted locations has access to all this data, this is why the FBI won't let law enforcement email be hosted in the cloud who can't guarantee this. If you value your privacy you should self encrypt all data before storing it in the cloud.

As to how easy it is to access your data from the iCloud if it is unencrypting based off of a device or via authentication you just defeated the purpose of good encryption. I see day in and day out people sharing everything and anything on their computer and putting it up for the whole internet to see. I am also willing to bet that a majority of Apple users if they have a password for iCloud it is probably going to be as simple as it can be. Usually if someone needs a Apple computer worked on I can guess the password as being password or some other simple to guess password, if they even have one, because everyone that owns an Apple device doesn't want to be bothered by complex passwords because it gets in the way. If its complex rest assured it is either taped to the device or stored in their carrying case.

I always tell people to encrypt their macs hard drives but they don't as it takes away the ease. I somewhat figure that Apple has a backdoor to any encrypted drive on an Apple device anyways. Probably transmits the encryption key when you go use itunes, but like I said their best backdoor is no one on a mac wants to use anything, but a simple to guess password. Every idiot with an iphone I can just open it up and get into everything on their phone without even breaking a sweat, doesn't matter if the iCloud password is complex because they have it cached on the phone or device which doesn't require a complex password.

As for email they don't encrypt it because it would be stupid to do so. Any part of the internet where the email passes through is totally clear text already. All email should be treated as public information period.

I for one would never trust Apple or any other company with data unless I encrypted it because if you read the service agreement they can't be at fault for anything that happens while you use the service. Dropbox terms of service is laughable. Zuck had it right by not worrying about privacy as anyone idiotic enough to load it to the web doesn't realize how many people have access to it already.

Also remember, your company policy, and this is something Chris alludes to at the end of the article, may not consider Apple (or DropBox or Mozy or... or...) a trusted provider. Your company may also have legal obligations to their partners or customers not to allow data onto these services.

Well Mozy and Google Apps are both SAS 70 compliant providers and that is great... I do not see ANY certifications with iCloud.

Though SAS 70 does not make the environment "more" secure, it really does atleast give some peace of mind...

No, it doesn't, unless you've reviewed their full SAS 70. A SAS 70 is simply a statement with a description of controls by the entity being certified. An external auditor then simply audits to make sure those controls meet said description. It is entirely up to the audited organization to decide which controls are part of said audit. Conveniently enough, many organizations won't share their SAS 70 either until you're in bed with them far enough it isn't economically feasible to pull out of the deal.

Assuming Apple is generating keys that are more than 64 bits in length, the chances of someone brute-forcing the key and decrypting the data within a lifetime are slim to none.

This probably isn't a big deal for something like iCloud that shouldn't be storing sensitive information in the first place, but a 64 bit key is definitely NOT secure anymore. DES uses 56 bit keys and it's considered insecure; if we abide by Moore's law, a 64 bit key should be crackable 6 years after a 56 bit key is. You definitely want something more than 80 bits, and preferably 128 bits (which is the minimum if they're using AES anyway).

About the law enforcement: Has Apple any guidelines to which and how law enforcements are allowed to access data? This is especially interesting for international customers. Will they provide access to the customers local law enforcements, or to ask the other way around, will they provide US access to non-US customers data?

Apple as a US company is subject to the PATRIOT Act and as such is legally obliged to disclose any information it holds on non-US residents and organisations if asked to do so in a court order. This is one reason why many people outside the USA are increasingly turning to non-US companies for cloud service provision.

Letting Apple encrypt your data or any other cloud service is just not smart because they can and will have to unencrypt it for any law enforcement reason.

Most law enforcement efforts, of course, are against corporate data where companies are OBLIGATED in various ways to preserve records. Individuals, too: you'll recall a recent story of somebody facing contempt of court for not decrypting a laptop, only dropped when the authorities managed to break the encryption. If you come under suspicion these days, expect a very strong assault on Americans' rights against self-incrimination.

In general, anything that you think of as legally sensitive shouldn't exist, in any form, anywhere.

Also remember, your company policy, and this is something Chris alludes to at the end of the article, may not consider Apple (or DropBox or Mozy or... or...) a trusted provider. Your company may also have legal obligations to their partners or customers not to allow data onto these services.

Well Mozy and Google Apps are both SAS 70 compliant providers and that is great... I do not see ANY certifications with iCloud.

Though SAS 70 does not make the environment "more" secure, it really does atleast give some peace of mind...

No, it doesn't, unless you've reviewed their full SAS 70. A SAS 70 is simply a statement with a description of controls by the entity being certified. An external auditor then simply audits to make sure those controls meet said description. It is entirely up to the audited organization to decide which controls are part of said audit. Conveniently enough, many organizations won't share their SAS 70 either until you're in bed with them far enough it isn't economically feasible to pull out of the deal.

That being said having the certifications is way better than not... So any way you look at it Apple does not have them.

About the law enforcement: Has Apple any guidelines to which and how law enforcements are allowed to access data? This is especially interesting for international customers. Will they provide access to the customers local law enforcements, or to ask the other way around, will they provide US access to non-US customers data?

Apple as a US company is subject to the PATRIOT Act and as such is legally obliged to disclose any information it holds on non-US residents and organisations if asked to do so in a court order. This is one reason why many people outside the USA are increasingly turning to non-US companies for cloud service provision.

Agreed. Those of us who are tin foil hat wearers (remember, shiny side out) like to encrypt our data on-site before uploading it to the cloud.

The US government's position is that they can get your data without a warrant, anywhere in the US, or elsewhere in the world if it's a US hosting company. In my opinion, you're better off doing your own encryption than relying on the idea that a non-US host won't give up your data.

Other than the obvious (things like credit card statements), I don't have anything where I'd be harmed by disclosure. But the creepy lenghts the government has gone to to make sure they can get a peek at everything makes me especially zealous about hiding whatever it is they think they need access to. Maybe they know something I don't.

Re. The Patriot Act, it's the reason UK public sector and government orgs cannot use cloud services from the USA. Within my NHS trust we're trying to educate doctors about not using their personal iPads and iPhones for work purposes. Its a shame given Apple can tightly integrate their software but third parties cannot.

That being said having the certifications is way better than not... So any way you look at it Apple does not have them.

You're missing the point here. SAS-70 (now replaced with SSAE16) is not a "certification". Apple is in no way obligated to disclose that they conduct an SSAE16 nor is there a repository that you can go check to see that they are "certified". I can get an SSAE16 report that just covers a business process which has nothing to do with the IT function and claim to be "SAS-70 Certified" or to take it a step further, I could just state I am "SAS-70 Certified" without ever having issued a report. There is no governing body therefore, as neoscsi stated, this "certification" does not give you *any* comfort unless you have read the full report.

(Why do I *want* to know that stuff? Beyond curiosity, it'd help me set up servers/services to use my data in other ways. Like, for one example, it'd be awesome if I could set up a PHP script on my own server that presented my synced bookmarks as a web page, so I could still access them when I didn't have any of my own devices handy. And I've been thinking of writing a family of apps that store data from multiple devices into iCloud key/value pairs, on which I might want to run reports. It was simpler for developers under MobileMe, when all file/data sync with iDisk was simple WebDAV in a shared filespace. I will concede that the iCloud method is simpler for most typical users.)

I'm wondering what everyone is putting on their devices that they are so worried about getting hacked and loosing? Bank info, credit card info, social security numbers? If so WHY are you putting that on devices? iCloud also will sync your iWork documents as well, so just keep that in mind.

iCloud backs up the data inside your iOS apps. Don't want it backed up, then just change the settings to indicate you don't want that app data backed up. iCloud backs up your contacts, calendar, bookmarks and photos. Any of those you can choose not to back up. It's a consumer based backup, not an enterprise solution, so it's not for business or law enforcement. It's basically a backup for the mass amounts of idiots who never back up their devices and then go to Apple crying when it doesn't work anymore and their data is gone.

If you have any sensitive info on your device, just make sure that data NEVER get's backed up to iCloud,

That being said having the certifications is way better than not... So any way you look at it Apple does not have them.

You're missing the point here. SAS-70 (now replaced with SSAE16) is not a "certification". Apple is in no way obligated to disclose that they conduct an SSAE16 nor is there a repository that you can go check to see that they are "certified". I can get an SSAE16 report that just covers a business process which has nothing to do with the IT function and claim to be "SAS-70 Certified" or to take it a step further, I could just state I am "SAS-70 Certified" without ever having issued a report. There is no governing body therefore, as neoscsi stated, this "certification" does not give you *any* comfort unless you have read the full report.

I am not missing the point - I think you are... Many organizations require that their hosts have these types reports in order to store their data. Service providers that take the time to handle these audits are IMO more transparent and thus more reliable host.

If I had to choose between a company that only handles their audits internally, and does not report that they have ANY certifications for data security / storage,etc... and then a Company that does have 3rd party audits, and states they have their certifications in line, I think i would go with the latter...

Are you actually saying these things are nothing... OR because its Apple it does not matter?

That being said having the certifications is way better than not... So any way you look at it Apple does not have them.

You're missing the point here. SAS-70 (now replaced with SSAE16) is not a "certification". Apple is in no way obligated to disclose that they conduct an SSAE16 nor is there a repository that you can go check to see that they are "certified". I can get an SSAE16 report that just covers a business process which has nothing to do with the IT function and claim to be "SAS-70 Certified" or to take it a step further, I could just state I am "SAS-70 Certified" without ever having issued a report. There is no governing body therefore, as neoscsi stated, this "certification" does not give you *any* comfort unless you have read the full report.

I am not missing the point - I think you are... Many organizations require that their hosts have these types reports in order to store their data. Service providers that take the time to handle these audits are IMO more transparent and thus more reliable host.

If I had to choose between a company that only handles their audits internally, and does not report that they have ANY certifications for data security / storage,etc... and then a Company that does have 3rd party audits, and states they have their certifications in line, I think i would go with the latter...

Are you actually saying these things are nothing... OR because its Apple it does not matter?

Perot Systems themselves wrote the SAS70 tests that were then performed by an external auditor(prior to Dell purchasing them that is). It is an excercise left to the reader to determine the value of such a report.

Apple requires strong passwords? Rather the opposite: by requiring me to type my AppleID password with the iOS onscreen keyboard every time I update an app (even a free one, even if I have a secure iPhone unlock password), they are essentially requiring a weak password on AppleIDs. They also refuse to automatically retrieve it from an unlocked Keychain on Mac, even though automatic Keychain retrieval is good enough for mail, servers, banking web forms, disk encryption, and basically everything that really counts.

I would love to have a separate *real* AppleID password for things that properly unlock along with my phone/Mac, while using a crappy, easily-iPhone-typable password for their precious App Store/iTunes. Or they could just stop insisting I constantly type that password even when my phone/Keychain is already unlocked.

I am also willing to bet that a majority of Apple users if they have a password for iCloud it is probably going to be as simple as it can be.

This is hardly unique to Apple users but read the article: Apple requires a minimal standard for passwords that prevents 'password' from being used for iCloud

Quote:

Usually if someone needs a Apple computer worked on I can guess the password as being password or some other simple to guess password, if they even have one, because everyone that owns an Apple device doesn't want to be bothered by complex passwords because it gets in the way. If its complex rest assured it is either taped to the device or stored in their carrying case.

Utter horseshit.

Quote:

I always tell people to encrypt their macs hard drives but they don't as it takes away the ease. I somewhat figure that Apple has a backdoor to any encrypted drive on an Apple device anyways. Probably transmits the encryption key when you go use itunes, but like I said their best backdoor is no one on a mac wants to use anything, but a simple to guess password. Every idiot with an iphone I can just open it up and get into everything on their phone without even breaking a sweat, doesn't matter if the iCloud password is complex because they have it cached on the phone or device which doesn't require a complex password.

Utter horseshit. iOS devices since the 3GS are all encrypted by default. Encrypting a Mac's HD since Lion has become trivially easy and has no impact on usability at all unless you require the absolute highest read/write speeds for your profession (video pros).

I am not missing the point - I think you are... Many organizations require that their hosts have these types reports in order to store their data. Service providers that take the time to handle these audits are IMO more transparent and thus more reliable host.

If I had to choose between a company that only handles their audits internally, and does not report that they have ANY certifications for data security / storage,etc... and then a Company that does have 3rd party audits, and states they have their certifications in line, I think i would go with the latter...

Are you actually saying these things are nothing... OR because its Apple it does not matter?

I didn't mean to ruffle your feathers but here is the problem with your line of thinking:

Quote:

Well Mozy and Google Apps are both SAS 70 compliant providers and that is great...

Have you seen the full report? Do you know what objectives it covered? Do you know if it was an unqualified opinion? Do you know what controls failed? Are you fine with those controls failing?

Quote:

I do not see ANY certifications with iCloud.

Unless you have seen the reports for either of the other organizations, what confirmation do you have that they issued a report and that the opinion was unqualified? Again, it is not a certification so iCloud is in no way obligated to disclose that they performed a SAS70 even if they issued one to their user organizations NOR are you able to go and confirm that any other organizations are "certified".

Quote:

Are you actually saying these things are nothing... OR because its Apple it does not matter?

SAS70s are very beneficial to user organization auditors so that they don't have to do their own independent testing and can rely upon the report. The report's importance is dependent solely on the reader of the report.

All that I am saying is that without reading the full report or at the very least, seeing the objectives and opinion of the report, anyone claiming "SAS70 Certified" should not mean anything to you since you have no assurance of WHAT was audited or even IF it was actually audited.

I am trying to stop the spread of misinformation here - any organization claiming to be "SAS70 Certified" is merely a marketing gimmick and should not mean anything to you until you see the report and make your own judgement.

About the law enforcement: Has Apple any guidelines to which and how law enforcements are allowed to access data? This is especially interesting for international customers. Will they provide access to the customers local law enforcements, or to ask the other way around, will they provide US access to non-US customers data?

Apple as a US company is subject to the PATRIOT Act and as such is legally obliged to disclose any information it holds on non-US residents and organisations if asked to do so in a court order. This is one reason why many people outside the USA are increasingly turning to non-US companies for cloud service provision.

Just wanted to reiterate this point.

Quote:

Any data which is housed, stored or processed by a company, which is a U.S. based company or is wholly owned by a U.S. parent company, is vulnerable to interception and inspection by U.S. authorities (under the PATRIOT ACT).

Also, there are several methods the authorities can use in which to not inform you of the fact that they have accessed or have copies of your data.

I always tell people to encrypt their macs hard drives but they don't as it takes away the ease. I somewhat figure that Apple has a backdoor to any encrypted drive on an Apple device anyways. Probably transmits the encryption key when you go use itunes, but like I said their best backdoor is no one on a mac wants to use anything, but a simple to guess password. Every idiot with an iphone I can just open it up and get into everything on their phone without even breaking a sweat, doesn't matter if the iCloud password is complex because they have it cached on the phone or device which doesn't require a complex password.

When Apple came out with FileVault it was buggy as hell. The risk of losing data to a bug was higher than the risk of someone getting access to my Mac.

The new whole disk version is supposed to be much better, but it means you have to run Lion. That means losing access to PowerPC apps and having to endure the flakiness of Lion. No thank you.

I always tell people to encrypt their macs hard drives but they don't as it takes away the ease. I somewhat figure that Apple has a backdoor to any encrypted drive on an Apple device anyways. Probably transmits the encryption key when you go use itunes, but like I said their best backdoor is no one on a mac wants to use anything, but a simple to guess password. Every idiot with an iphone I can just open it up and get into everything on their phone without even breaking a sweat, doesn't matter if the iCloud password is complex because they have it cached on the phone or device which doesn't require a complex password.

Utter horseshit. iOS devices since the 3GS are all encrypted by default. Encrypting a Mac's HD since Lion has become trivially easy and has no impact on usability at all unless you require the absolute highest read/write speeds for your profession (video pros).

I think you missed the part where the person you're quoting gains physical access to your phone and, after trying 1234 as the unlock code, gains access to your entire life. Like a chain, data security is only as strong as the weakest link.

That being said having the certifications is way better than not... So any way you look at it Apple does not have them.

Most companies don't publicize their SAS 70s, as they're only usually relevant to business partners who receive a copy after signing an NDA and asking for it. Apple is not well known for volunteering any information on anything, especially internal business processes and controls. So no, you don't know that Apple doesn't have one.

That being said having the certifications is way better than not... So any way you look at it Apple does not have them.

You're missing the point here. SAS-70 (now replaced with SSAE16) is not a "certification". Apple is in no way obligated to disclose that they conduct an SSAE16 nor is there a repository that you can go check to see that they are "certified". I can get an SSAE16 report that just covers a business process which has nothing to do with the IT function and claim to be "SAS-70 Certified" or to take it a step further, I could just state I am "SAS-70 Certified" without ever having issued a report. There is no governing body therefore, as neoscsi stated, this "certification" does not give you *any* comfort unless you have read the full report.

I am not missing the point - I think you are... Many organizations require that their hosts have these types reports in order to store their data. Service providers that take the time to handle these audits are IMO more transparent and thus more reliable host.

If I had to choose between a company that only handles their audits internally, and does not report that they have ANY certifications for data security / storage,etc... and then a Company that does have 3rd party audits, and states they have their certifications in line, I think i would go with the latter...

Are you actually saying these things are nothing... OR because its Apple it does not matter?

Conveniently, iCloud is marketed at individuals, not organizations that require SAS70s. There are other service providers for that.

And I say it because "it doesn't matter". And don't worry, I get to tell someone at least twice a month that "No, just having a SAS70 does not excuse a third-party from our security requirements, unless we can review it in its entirety without signing an NDA. And only then if it addresses everything required by our requirements." The devil is in the details of whats NOT mentioned in SAS70s. Most have holes you could fly an A380 through.

If you want, you can confirm Apple is compliant with PCI-DSS. That is public information. While there are many problems with that standard, at least it's a *standard* they're being rated against. Also published, is Apple's WebTrust certification. While that likely only applies to the environment their CA is in, by its nature a lot of those protections would likely carry over to other areas of their environment.

Compliance to a regulation - whether PCI DSS, or to a control framework based on SAS70/COBIT/ISO27000 or other risk controls frameworks which have no guarantees of security, does'n't mean a system weakness will not be exploitable. All they show is compliance to a particular framework - at that singular moment in time the auditor asked questions, sampled data, ran tests. No more, no less. Meanwhile, agile attackers are adapting their malware, planning recon missions, devising schemes to get in, and may already be well behind the compliant organizations perimeter security taking full advantage - possibly even with an auditor running a scan at that moment. Its happened, will happen again, cloud or no cloud.

The fact that emails are not encrypted is interesting - from a honeypot perspective, email accounts routinely contain cleartext passwords from badly designed reset schemes, open password reset URLs, clear PII data from careless companies (like mortgage application data, credit app data etc) and other handy information to facilitate a secondary compromise - juicy stuff when its all contained in one convenient soft centered data center.

SMIME (and similar PKI based techniques) however, are taking a first class, most usable device on the market with a very appealing cloud storage back end and rendering email encryption into something from the 1990's - clunky, X509 key management headaches and largely impossible to use in any meaningful way apart from for those the few technical users willing to persist through a world of pain to get it working. Try using that in a corporate of 10,000 employees to millions of recipients and its pretty much game over from the start - but now iCloud creates a risk to drive the need for encryption at the cloud edge before it get into it for a myriad of compliance reasons.

Luckily, the third party market offers data-centric alternatives - stay tuned on that front!

Cheers,MarkVoltage Security.PS. Yes I work for a firm who provides data security products to large enterprises.

what if someone compromised iCloud and sat in between #1 and #2? or, am i missing something? i feel like this article is operating on the presumption that apple itself is invulnerable to attack. as stuxnet, secureid, and lockheed martin tell us: no one is.

what if someone compromised iCloud and sat in between #1 and #2? or, am i missing something? i feel like this article is operating on the presumption that apple itself is invulnerable to attack. as stuxnet, secureid, and lockheed martin tell us: no one is.

Ding ding ding, we have a winner. So the data is encrypted at rest. That's great if you're worried about someone driving a truck through the wall of Apple's data center and loading up the back with some of their SANs. But if I compromise an iCloud system while it is running, I'll have access to the online data. Even that doesn't concern me so much.

The biggest elephant in the room is, how does iCloud deal with invalid certificates? Browsers have a pretty standard way of prompting the user (who usually clicks through anyway) but what about iCloud? There are likely numerous client side components that make calls to the cloud. Do they all fail open, or fail closed during a man in the middle attack? Or is the user prompted? If these components fail open, it's just a matter of time before we see a FireCloud tool released to commoditize the rape of iOS and Mac users on public wifis. I'm actually surprised Ars didn't test this, it would have made the article much more useful than a pseudo-PR piece of Apple, and shouldn't be hard to test. Maybe I will next time I have a free lunch hour.